team-executor
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads session metadata, task descriptions, and role specifications from a user-provided directory (
team-session.json,task-analysis.json, androle-specs/*.md) and injects these values directly into the prompts for newly spawnedteam-workeragents. - Ingestion points: The
--sessionargument defines the source directory forteam-session.jsonandrole-specs/markdown files. - Boundary markers: Absent. Instructions and data are interpolated directly into template strings (e.g.,
requirement: <task-description>) without delimiters or instructions to ignore embedded commands. - Capability inventory: The skill can spawn background agents (
Agenttool) and execute shell commands (Bashtool). - Sanitization: The skill performs structural validation (checking for JSON fields and file existence) but does not sanitize the content of strings processed into agent prompts.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to perform state reconciliation and file management tasks. While these operations are defined for orchestration, the tool itself provides an unconstrained execution environment that could be abused if the agent is influenced by malicious session data.
Audit Metadata